FreePBX Open Source - 2021-09-15 XSS Injection vulnerability in TTS, Blacklist, Bulk handler and UCP Module

• SEC- 2021-011

• CVE Name : CVE-2021-41060.

• Overview

  • A Stored Cross-Site Scripting  exists in FreePBX 16,15,14 and 13  in Text to Speech Engine Module, Blacklist, Bulk handler and UCP Module.

• Discovered By :  Igor Semyonov igor@hackeruso.com  

• Impact : 

CVSS Base Score:2.4

Impact Subscore:1.4

Exploitability Subscore:0.9

CVSS Temporal Score:2.2

CVSS Environmental Score:2.2

Modified Impact Subscore:1.4

Overall CVSS Score:2.2

AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:H/MUI:R/MS:U/MC:X/MI:X/MA:X

• Vulnerable software and versions

• FreePBX 13 -

  • Module: Blacklist affected version: <= 13.0.14.14 fix version: 13.0.14.15

  • Module: Bulkhandler affected version: <= 13.0.23 fix version: 13.0.24
    
    

  • Module: TTS affected version: <= 13.0.14 fix version: 13.0.15

• FreePBX 14 -

  • Module: Blacklist affected version: <= 14.0.4 fix version: 14.0.5

  • Module: UCP affected version: <= 14.0.3.20 fix version: 14.0.3.21

  • Module: TTS affected version: <= 13.0.14 fix version: 13.0.15

• FreePBX 15 -

  • Module: Blacklist affected version: <= 15.0.2.14 fix version: 15.0.2.15

  • Module: TTS affected version: <= 15.0.11 fix version: 15.0.12

  • Module: UCP affected version: <= 15.0.9 fix version: 15.0.10

     

• FreePBX 16 -

  • Module: Blacklist affected version: <= 16.0.4 fix version: 16.0.5

  • Module: Bulkhandler affected version: <= 16.0.2 fix version: 16.0.3
    
    

  • Module: TTS affected version: <= 16.0.1 fix version: 16.0.2

  • Module: UCP: <= 16.0.14 fix version: 16.0.15

• Related Information

  • Official Bug ticket : https://issues.freepbx.org/browse/FREEI-3374

• Further Details
  Text to Speech Engine

Stored cross-site scripting arises when an attacker injects malicious executable scripts into the code of a trusted application or website. 

Here attacker injects a malicious script into user-provided input and user without noticing it can click on it while being logged in as an administrator. Through this, attackers can steal the user’s active session cookie. This issue occurs when we change the input field of “Name” and “Text”.

Blacklist Module 

This issue occurs in the “description” input field while adding or editing. Here too I have added the htmlentities() function.

Bulkhandler Module

For Bulkhandler, Issue persists after we import our csv file containing the extension and its details. So, the user adds some scripts in the csv file before importing it into the bulkhandler.

UCP Dashboard-  

This issue occurs when we create/edit a dashboard in the UCP module.Since the code is in javascript on how to create/edit dashboard. I have to do something different compared to other modules.

The Sangoma and FreePBX team has deemed this a minor security issue. We strongly encourage all users of FreePBX 13, 14 15 and 16 to upgrade to the latest fixed modules version. This can be done from the Module Admin GUI or fwconsole. For more information on using Module Admin, please see https://sangomakb.atlassian.net/wiki/spaces/PG/pages/20023939/Module+Admin+User+Guide .

Sangoma takes security seriously and requests that any future FreePBX security issue be reported at security@freepbx.org.